E N D
Agenda for Dr. Raymond Wagner’s 1/28 Visit2:00pm Introduction to UCCS Network/System Lab, Dr. Edward Chow2:05pm Secure Collective Internet Defense (SCOLD), Yu Cai2:35pm QoS/Information Fusion (INFOFUSE), Dr. Joe Zhou3:05pm Information Sharing (INFOSHARE), Ganesh Godavari3:35pm Discussion4:05pm Demo/Lab tour Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreements number F49620-03-1-0207 and FA9550-04-1-0239 as NISSC grants, Fall 2003, Spring 2004 and Fall 2004. UCCS Network/System Security Research
Outline of the Talk • Overview of Network System Research Lab • Organic systems and information security • Organic means self-configuration, self management (adaptive to load), autonomic, and self-healing. • Realizing an organic security technique Proxy-based multi-path indirect routing • Improving measurable performance in cyber defense systems by QoS regulation with information fusions • Developing techniques and tools for supporting secure information sharing and collaborative work among multiple agencies UCCS Network/System Security Research
UCCS Network Research Lab • Dr. C. Edward Chow • Dr. Xiaobo Zhou • Graduate students: • John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability • Hekki Julkunen: Dynamic Packet Filter • Chandra Prakash: High Available Linux kernel-based Content Switch • Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed • Longhua Li: IXP-based Content Switch • Nirmala Belusu: Wireless Network Security PEAP vs. TTLS • David Wikinson: Enhance DNS for Support Multipath Indirect Routing • Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Support • Yu Cai (Ph.D)): Secure Collective Defense (SCOLD); Multipath Routing • Ganesh (Ph.D): SIS, Linux based Secure Web Switch • Hamzar Jaffar: QoS Routing • Frank Watson: Content Switch for Email Security; Multipath Routing • Sarah Jelinek: A2D2v2, Enterprise Intrusion Detection and Traceback. • Murthy Andukuri: Enhanced BGP/MPLS-based VPN • Patrick Cook: Security Enhancement for Service Oriented Architecture • Krishna Neelanka, Jeff Rupp, Sid Rubey, Devjani Sinha: Wireless sensor networks UCCS Network/System Security Research
Sponsored Projects • NISSC-AFRL(03-05) • Information fusion, QoS Routing, Intrusion Tolerance • Secure InformationSharing, Secure Groupware • First Responder Sensor Networks, Secure WLAN. • QDot(04): Networked Radio for Sensor Applications • ITT (03): Wireless Rogue Traffic Detection and Prevention • Comuputer Communication Lab (00-03) • Secure Content Switch (Linux-based and IXP-based) • Fujitsu (98-03): Network Measurement; Load Balancing • ONR (95-98): Evaluation Tools for Satellite Networks • CASI-Omni-point (99): Wireless Information Network Planning • CASI-USWest (94-95) • Resource Allocation for Wireless Information Networks and ATM; Network Restoration • MCI (92-93;97): Network Restoration; Survival Networks (two US patents) UCCS Network/System Security Research
UCCS Network Lab Setup • Gigabit fiber connection to UCCS backbone • Switch/Firewall/Wireless AP/Sensor Network Gateway: • HP 4000 switch; 4 Linksys/Dlink Switches. • Sonicwall Pro 300 Firewall • 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. • Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). • Intel Stargate sensor network gateway. • Intel IXP12EB network processor evaluation board • Servers: Two Dell PowerEdge Servers; Three NCR S50 quad Xeon server. (donated by Intel; used in class/research). • Workstations/PCs: • 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) • 2 laptop PCs with Aironet 350 for mobile wireless • 1 ipaq PDA with • OS: Linux Fedora Core 3; Redhat 9.0; Window XP/2000/2003. UCCS Network/System Security Research
HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor UCCS Network/System Security Research
Intel 7110 SSL Accelerators • 7280 XML Director UCCS Network/System Security Research
An Integrated System Infrastructure UCCS Network/System Security Research
An Enterprise Cyber-Defense System UCCS Network/System Security Research
Our Innovations in Organic Security • Enhanced Intrusion-Tolerant DNS system • Allow multiple indirect routing entry • Allow peer-to-peer indirect DNS query • Proxy-based Multiple Path Indirect Routing • Ready to deploy with connection relay servers • Secure Information Sharing • Developed efficient procedures and tools to set up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization (enhanced LDAP with Attribute Certificate and ACDE). • Adaptive Available Network Bandwidth Measurement • Highly Available Secure Server Cluster • Secure XML/URL based content switch for e-commerce • High availability load balancer configuration with Distributed File System support. • Autonomous Anti-Distributed Denial of Services (A2D2) • Multi-level adaptive rate limiting firewall • IDIP-based enterprise intrusion detection extension being ported to CIDF/IDMEF standard. • QoS Differentiation Techniques against Uncertainty UCCS Network/System Security Research
Discussion • Feedback/suggestion? • Trends/critical issues in cybersecurity from Boeing perspective. • Research Collaboration Opportunities? • Boeing sponsored projects? • Joint proposals to DoD/DHS? • Follow-up visit to Boeing… UCCS Network/System Security Research
Utility Computing Technology • Dynamic resource allocation/control according to load status. • Various account control according to amount of use of resource. Application ・・・ APP APP • Load Amount Detection • (CPU, Memory, Link belt region) • Service Quality Monitoring • Bottleneck Analysis • Optimization of Resource/ • Contents Arrangement (simulator etc.) Resource Re-allocation Management • Load balance control (between/centers in center) • Traffic Redirection Account Mechanism Monitoring Measurement Control User profile • Utility Time • 〃 CPU • 〃 bandwidth Measurement Monitoring Enforcement Control DB DB Platform: Server, Storage, and Network UCCS Network/System Security Research
Distributed IDC/Organic Networking Effective use of corporate center resource and data integrity • Hosting multiple customer sites with utility based charge. • Direct clients to faster/closer data center • Redirect requests during network congestion/system failures/DDoS attacks • Relocate servers to adapt to system load and flash crowd IDC3(data backup) backup resource IDC2(BtoB/C portal) Operation resource Operation resource Sharing inB BtoB inB BtoC The Internet VPN-CUG VPN-CUG VPN Headquarters Group company Consumer Enterprise UCCS Network/System Security Research
A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDoS Defense UCCS Network/System Security Research
SCOLD: Secure COLlective Defense R2 R1 R3 Alternate Gateways net-a.mil net-b.mil net-c.mil ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Need to Inform Clients or Client DNS servers!But how to tell which Clients are not compromised?How to hide IP addresses of Alternate Gateways? R DNS DDoS Attack Traffic Client Traffic Victim UCCS Network/System Security Research
SCOLD net-b.mil net-c.mil net-a.mil ... ... ... ... A A A A A A A A 3. New route via Proxy3 3. New route via Proxy1 3. New route via Proxy2 DNS3 DNS1 DNS2 R R R 4. Attack traffic detected by IDSblock by Firewall Proxy2 Proxy3 Proxy1 block 4a. Attack traffic detected by IDSblock by Firewall R R1 R2 R3 RerouteCoordinator 4b. Client traffic comes in via alternate route Attack Traffic 1.distress call Client Traffic 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) Victim UCCS Network/System Security Research
SCOLD Secure DNS Updatewith New Indirect DNS Entries Modified Bind9 Modified Bind9 Modified ClientResolveLibrary (target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38 New Indirect DNS Entries: A set of alternate proxy servers for indirect routes UCCS Network/System Security Research
IP tunnel IP tunnel UCCS Network/System Security Research
SIS: Secure Information Sharing Develop techniques and tools for supporting secure information sharing and collaborative work among multiple agencies with focus on Public Key Certificate(for authentication) and Attributed Certificate(for authorization, using Role Based Access Control) management for large-scale information sharing and collaborative work Infrastructure support for secure web-based collaborative applications Ubiquitous computing for sharing sensor and web information. UCCS Network/System Security Research
SISSystem Overview Version Version Serial Number Serial Number Signature ID Signature ID e e r r Subject Holder u u t t a a n n g g Issuer Issuer i i S S RBAC Validity Period Validity Period Policy Subject Public Key Info Attributes file Externsions Externsions User Role Specification Public Key Certificate Attribute Certificate ( PKC ) ( AC ) AC LDAP Administration Server Tool Mail Server Database Access Control PKC Instant Msg Decision and User Server Enforcement Authenticate Engine Web Server Create/Change/Revoke Attribute Certificates authorize UCCS Network/System Security Research
SIS Test-bed PerformanceAccess Time from a client at sis-canada UCCS Network/System Security Research
Innovations in SIS Project • Developed efficient procedures and tools to set up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization. • Created a multi-agency SIS test bed based on LDAP and web servers. • OpenLDAP servers were enhanced to accept attribute certificates. • LDAP module of the apache web server was extended to achieve secure web access. Innovation in Distribution: Software/Demo Prototype Available on DVD with MS-Virtual PC2004, as a network of User Mode Linux(UML) virtual machines at nominal fee. UCCS Network/System Security Research
Secure Scalable Collaborative Tools • Developed Edge Server-side Include Collaborative (ESIC) framework for developing collaborative systems • ready to deploy via Content Delivery Network systems such as Akamai, tap into the resource of thousands of CDN cache servers and bandwidth. • Developed web-based firewall friendly CoWebBrowser for collaborative viewing of web documents • based on signed Javacript and pushlet technologies. • Develop secure groupware for First Responders • Instant messaging/remote file display utilizing PDAs with wireless LAN802.11 • Integrate KeyStone GroupKey management system with Jabber Instant Messaging system • being extended to access mica2 wireless sensor network for fire and firefighter tracking. UCCS Network/System Security Research
Our Innovations in Organic Security • Enhanced Intrusion-Tolerant DNS system • Allow multiple indirect routing entry • Allow peer-to-peer indirect DNS query • Proxy-based Multiple Path Indirect Routing • Ready to deploy with connection relay servers • Adaptive Available Network Bandwidth Measurement • Highly Available Secure Server Cluster • Secure XML/URL based content switch for e-commerce • High availability load balancer configuration with Distributed File System support. • Autonomous Anti-Distributed Denial of Services (A2D2) • Multi-level adaptive rate limiting firewall • IDIP-based enterprise intrusion detection extension being ported to CIDF/IDMEF standard. • QoS Differentiation Techniques against Uncertainty UCCS Network/System Security Research
An Integrated System Infrastructure UCCS Network/System Security Research
What are Goals? To improve measurable network and system performance under cyber attacks, threats, and uncertainty, we want to design an effective enterprise cyber-defense system by integrating • A distributed intrusion detection system • An intrusion information fusion infrastructure • QoS regulation techniques for uncertain intrusion handling at enhanced router and end server systems • Intrusion tolerance techniques based on proxy-based multiple path routing UCCS Network/System Security Research
Why QoS in Security? • QoS is the target of cyber-attacks • reduced QoS levels provided by systems and networks and experienced by users • Weak trustiness of Internet services • Worst case, no service (QoS) • QoS is also a means • To help system and network behave under uncertainty • To slow down potential malicious code (e.g., worms) • To enhance system and network performance UCCS Network/System Security Research
How could that be? • Make the performance of systems and networks configurable and controllable by themselves, instead of by parameters and behaviors of attacks • Worm-infected hosts have much higher connection-failure rate than others • Even successful connections, we may distinguish normal behaviors, aggressive behaviors, potentially malicious behavior, and confirmed behaviors • Traffic with different behaviors will be processed by systems and networks differently • Not just client-based, but class-based UCCS Network/System Security Research
What we need? • A distributed intrusion detection system • Collect behaviors with different confidence • An information fusion infrastructure • Decision making and classification • QoS differentiation & regulation techniques • Processing per-class traffic differently • Network edge routers • Endpoint computer systems • Individual servers and cluster-based servers UCCS Network/System Security Research
Integrated Resource Allocation UCCS Network/System Security Research
Proportional Response Differentiation UCCS Network/System Security Research
System Robustness UCCS Network/System Security Research
A Microscopic View UCCS Network/System Security Research
Impact of Feedback Control UCCS Network/System Security Research
Two-tier Allocation in Server Clusters UCCS Network/System Security Research
Three-class Slowdown Differentiation UCCS Network/System Security Research
A Microscopic View UCCS Network/System Security Research
IEEE SNS2005 Workshop • The 1st IEEE Int’l Workshop on System and Network Security (SNS 2005) • in conjunction with 19th IEEE IPDPS • Denver, April (4 -) 8, 2005 • www.cs.uccs.edu/~SNS/sns2005.html • Received 50 full-paper submissions from 15+ countries; USA, Canada, UK, France, Spain, Germany, China, India, Japan, Greece, Egypt, Finland, Swiss, Australia, Singapore, etc. • To accept about 18 papers • JNCA special issue in Security in Distributed Systems and Networks, Academic Press of Elsevier, Spring 2006 UCCS Network/System Security Research